CVE-2023-34617
📋 TL;DR
CVE-2023-34617 is a vulnerability in genson library versions through 1.6 where attackers can cause denial of service or other impacts by providing crafted objects with cyclic dependencies. This affects applications using genson for JSON serialization/deserialization, potentially allowing resource exhaustion attacks.
💻 Affected Systems
- genson
📦 What is this software?
Genson by Genson Project
⚠️ Risk & Real-World Impact
Worst Case
Complete application crash leading to denial of service, potential memory exhaustion affecting system stability, or remote code execution if combined with other vulnerabilities.
Likely Case
Application denial of service through resource exhaustion, causing service disruption and potential data loss in processing queues.
If Mitigated
Minimal impact with proper input validation and resource limits in place, potentially causing only localized processing failures.
🎯 Exploit Status
Exploitation requires sending crafted JSON with cyclic dependencies to applications using genson. The vulnerability is well-documented in the GitHub issues.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1.7 and later
Vendor Advisory: https://github.com/owlike/genson/issues/191
Restart Required: Yes
Instructions:
1. Update genson dependency to version 1.7 or later. 2. Update package.json or build.gradle to specify genson >=1.7. 3. Rebuild and redeploy application. 4. Restart affected services.
🔧 Temporary Workarounds
Input Validation and Sanitization
allImplement strict input validation to reject JSON with cyclic dependencies before processing with genson.
Resource Limiting
allConfigure application to limit memory and CPU usage for JSON processing operations.
🧯 If You Can't Patch
- Implement WAF rules to detect and block JSON payloads with cyclic dependencies
- Isolate genson usage to separate processes with strict resource limits and monitoring
🔍 How to Verify
Check if Vulnerable:
Check package.json, build.gradle, or pom.xml for genson dependency version <=1.6. Run 'npm list genson' or 'mvn dependency:tree | grep genson' to verify version.Check Version:
npm list genson || mvn dependency:tree | grep genson || grep -r "genson" pom.xml build.gradle package.jsonVerify Fix Applied:
Verify genson version is 1.7 or later using package manager commands. Test with sample cyclic JSON to ensure proper error handling.📡 Detection & Monitoring
Log Indicators:
- High memory usage spikes
- Application crashes during JSON processing
- Stack overflow errors in logs
- OutOfMemoryError exceptions
Network Indicators:
- Large JSON payloads with repeated nested structures
- Rapid repeated requests with complex JSON
SIEM Query:
source=application_logs ("OutOfMemoryError" OR "StackOverflowError" OR "genson") AND ("JSON" OR "deserialization")